Educause Security Discussion mailing list archives

Re: Handling flood of returned e-mail messages due to spam with forged sender address

From: Dick Jacobson <Dick.Jacobson () NDSU NODAK EDU>
Date: Tue, 17 Aug 2004 09:24:02 -0500

On Mon, 16 Aug 2004, Scott Weeks wrote:

On Mon, 16 Aug 2004, Gary Flynn wrote:

Hi Gary,

:  Anyone else been through this already?

Yes


:  Did the activity stop by itself after a period of time?

No, at least at my ISP.  Not a problem here at work, so I assume there may
be a setting the email administrator can set.


:  I'm getting ready to send abuse reports to the dozens of sending
:  organizations but I'm not optimistic.

It won't help.  There's nothing they can do.  It's a virus that searches
the addressbook of the infected machine.  It has nothing to do with the
other folks, except that they're in the addressbook of the infected
machine.


:  Why would someone pick a real address of a single person to forge
:  in these messages anyway? To our knowledge, this isn't retaliatory
:  activity but I guess you never really know.

Because that's the way the virus was written.  It's not retaliatory if
it's the virus I'm describing.


And when was the last time you saw a real spammer use their own real
address on the From: line ?

As postmaster I was getting several thousand of these daily - a couple
years ago.  We used filters to divert the mail before it hit my inbox.  Of
course I need to clean the log files frequently to avoid quota problems.
;-)

This is the reason I insisted we not try to return infected mail to the
source (or notify them).  The a/v vendors have not developed the code to
be able rip apart the headers to determine the true origin.


scott

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.


--

-----------------------------------------------------------------------
Dick Jacobson                   e-mail : Dick.Jacobson () ndsu NoDak edu
ND HECN MultiUser Host SysAd    office : IACC 206, NDSU
NDUS IT Security Officer        phone  : 701-231-7385
-----------------------------------------------------------------------

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Handling flood of returned e-mail messages due to spam with forged sender address Gary Flynn (Aug 16)
- <Possible follow-ups>
- Re: Handling flood of returned e-mail messages due to spam with forged sender address Scott Weeks (Aug 16)
- Re: Handling flood of returned e-mail messages due to spam with forged sender address Dick Jacobson (Aug 17)
- Re: Handling flood of returned e-mail messages due to spam with forged sender address Gary Flynn (Aug 17)